CN109583181B - Authentication method, authentication device and machine-readable storage medium - Google Patents

Authentication method, authentication device and machine-readable storage medium Download PDF

Info

Publication number
CN109583181B
CN109583181B CN201811444791.1A CN201811444791A CN109583181B CN 109583181 B CN109583181 B CN 109583181B CN 201811444791 A CN201811444791 A CN 201811444791A CN 109583181 B CN109583181 B CN 109583181B
Authority
CN
China
Prior art keywords
authentication
dynamic
user
password
account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811444791.1A
Other languages
Chinese (zh)
Other versions
CN109583181A (en
Inventor
郝兆旭
刘靖靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201811444791.1A priority Critical patent/CN109583181B/en
Publication of CN109583181A publication Critical patent/CN109583181A/en
Application granted granted Critical
Publication of CN109583181B publication Critical patent/CN109583181B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2133Verifying human interaction, e.g., Captcha

Abstract

The embodiment of the invention provides an authentication method, an authentication device and a machine-readable storage medium, wherein an authentication server checks an account name and a password sent by an authentication client, generates a two-dimensional code after the check is successful, and sends the two-dimensional code to the authentication client, the authentication client displays the two-dimensional code to a user, the authentication server sends access interface information to the user after determining that the user scans the two-dimensional code, the user sends the scanned two-dimensional code information and application account information to an application server according to the access interface information, the authentication server receives a first application account identifier fed back by the application server, if the application account identifier with the account name bound has an identifier which is the same as the first application account identifier, a dynamic password is generated according to a dynamic key bound by the account name and sent to the user, and the first dynamic password input by the user sent by the authentication client is received and sent by the authentication client, and (6) performing authentication. By the scheme, the network security can be improved.

Description

Authentication method, authentication device and machine-readable storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an authentication method, an authentication device, and a machine-readable storage medium.
Background
In a personal network or an enterprise network, in order to ensure the safe operation of the network, a user is required to pass login authentication to normally access the network. In a general authentication process, a user inputs an account name and a password on an authentication client, an authentication server verifies the account name and the password, and if a preset matching relationship is met, the authentication is determined to be successful. However, in general, the password is statically configured in advance based on the account name, so that the password is easily stolen, and the security risk of the network is high.
In order to solve the problems, in the corresponding authentication method, an authentication client sends an authentication request to an authentication server, the authentication server randomly generates a dynamic password after receiving the authentication request, the authentication server sends the dynamic password to the authentication client for hidden storage and informs a user of the dynamic password in a short message mode, the user can input the dynamic password at the authentication client, the authentication client sends the dynamic password input by the user and the dynamic password hidden and stored by the authentication client to the authentication server, the authentication server compares the two dynamic passwords, and if the two dynamic passwords are the same, the authentication success can be determined.
Because the dynamic password is hidden and stored in the authentication client, if the way of hiding and storing the dynamic password is cracked by the authentication client, an attacker can easily crack the hidden dynamic password or modify the hidden dynamic password and correspondingly input the same dynamic password to the authentication server for authentication, so that the purpose of attacking the network is achieved, and the network security is still poor.
Disclosure of Invention
Embodiments of the present invention provide an authentication method, an authentication device, and a machine-readable storage medium, so as to improve network security. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides an authentication method, which is applied to an authentication server in an authentication system, and the method includes:
receiving an account name and a password sent by an authentication client;
verifying the account name and the password, and generating a two-dimensional code after the account name and the password are successfully verified;
sending the two-dimension code to the authentication client side so that the authentication client side can display the two-dimension code;
after the user side is determined to scan the two-dimensional code, sending access interface information to the user side, so that the user side sends the scanned two-dimensional code information and application account information to an application server according to the access interface information;
receiving the first application account identifier fed back by the application server according to the scanned two-dimensional code information and the application account information;
judging whether an identifier which is the same as the first application account identifier exists in the application account identifiers with the bound account names;
if the same identification exists, acquiring a dynamic key bound to the account name; generating a dynamic password according to the dynamic key, and sending the dynamic password to the user side; and receiving and authenticating according to a first dynamic password input by the user and sent by the authentication client.
In a second aspect, an embodiment of the present invention provides an authentication method, which is applied to an authentication client in an authentication system, and the method includes:
sending an account name and a password input by a user to an authentication server so that the authentication server verifies the account name and the password, and generating a two-dimensional code after the verification is successful;
receiving the two-dimension code sent by the authentication server, displaying the two-dimension code, enabling a user end to scan the two-dimension code, and sending scanned two-dimension code information and application account information to an application server according to access interface information sent by the authentication server;
receiving a first dynamic password input by a user;
and sending the first dynamic password to the authentication server so that the authentication server performs authentication according to the first dynamic password.
In a third aspect, an embodiment of the present invention provides an authentication apparatus, which is applied to an authentication server in an authentication system, and the apparatus includes:
the receiving module is used for receiving the account name and the password sent by the authentication client;
the verification module is used for verifying the account name and the password and generating a two-dimensional code after the account name and the password are verified successfully;
the sending module is used for sending the two-dimension code to the authentication client so that the authentication client can display the two-dimension code; after the user side is determined to scan the two-dimensional code, sending access interface information to the user side, so that the user side sends the scanned two-dimensional code information and application account information to an application server according to the access interface information;
the receiving module is further configured to receive a first application account identifier fed back by the application server according to the scanned two-dimensional code information and the application account information;
the judging module is used for judging whether an identifier which is the same as the first application account identifier exists in the application account identifiers bound by the account names;
the obtaining module is used for obtaining the dynamic key bound to the account name if the judgment result of the judging module is that the same identification exists;
the generating module is used for generating a dynamic password according to the dynamic key and sending the dynamic password to the user side;
and the authentication module is used for receiving and authenticating according to the first dynamic password input by the user and sent by the authentication client.
In a fourth aspect, an embodiment of the present invention provides an authentication apparatus, which is applied to an authentication client in an authentication system, and the apparatus includes:
the sending module is used for sending the account name and the password input by the user to an authentication server so that the authentication server can verify the account name and the password, and after the verification is successful, a two-dimensional code is generated;
the receiving module is used for receiving the two-dimensional code sent by the authentication server, displaying the two-dimensional code, enabling the user side to scan the two-dimensional code, and sending scanned two-dimensional code information and application account information to the application server according to the access interface information sent by the authentication server; receiving a first dynamic password input by a user;
the sending module is further configured to send the first dynamic password to the authentication server, so that the authentication server performs authentication according to the first dynamic password.
In a fifth aspect, an embodiment of the present invention provides an authentication server, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions executable by the processor, and the instructions are loaded by the processor and execute: to implement the method steps of the first aspect of the embodiments of the present invention.
In a sixth aspect, the present invention provides a machine-readable storage medium, in which machine-executable instructions are stored, and the instructions are loaded and executed by a processor to implement the method steps of the first aspect of the present invention.
In a seventh aspect, an embodiment of the present invention provides an authentication client, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions executable by the processor, and the instructions are loaded by the processor and execute: to implement the method steps of the second aspect of the embodiment of the present invention.
In an eighth aspect, the present invention provides a machine-readable storage medium, in which machine-executable instructions are stored, and the instructions are loaded and executed by a processor to implement the method steps of the second aspect of the present invention.
In the authentication method, the authentication device and the machine-readable storage medium provided by the embodiments of the present invention, the authentication server checks the account name and the password sent by the authentication client, generates the two-dimensional code after the check is successful, and sends the two-dimensional code to the authentication client, the authentication client can display the two-dimensional code to the user, the authentication server sends the access interface information to the user after determining that the user scans the two-dimensional code, so that the user can send the scanned two-dimensional code information and the application account information to the application server according to the access interface information, the application server feeds back the first application account identifier to the authentication server according to the scanned two-dimensional code information and the application account information, if the application account identifier bound to the account name has the identifier same as the first application account identifier, the dynamic key bound according to the account name is obtained, and generating a dynamic password, sending the dynamic password to the user side, receiving and authenticating according to a first dynamic password input by the user and sent by the authentication client side. By utilizing the binding relationship between the account name and the application account identifier, when the first application account identifier of the user side is the same as the application account identifier bound with the account name, the authentication server generates and issues the dynamic password, and an attacker needs to crack the account name and the password simultaneously and also needs to crack the application account identifier and the dynamic password bound with the account name during attack, so that the cracking difficulty is high, and the network security is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating an authentication method applied to an authentication server according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an authentication method applied to authenticate a client according to an embodiment of the present invention;
FIG. 3 is a schematic interaction flow diagram of an authentication method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an authentication device applied to an authentication server according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an authentication apparatus applied to an authentication client according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an authentication server according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an authentication client according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to improve network security, embodiments of the present invention provide an authentication method, an authentication device, an authentication server, an authentication client, and a machine-readable storage medium. The following first introduces an authentication method provided in an embodiment of the present invention.
The authentication method provided by the embodiment of the present invention can be applied to an authentication system, which may include a user side, an authentication client, an authentication server, and an application server, where the user side may be a software client capable of scanning a two-dimensional code, the authentication client may be a hardware electronic device (e.g., a personal computer, a mobile phone, etc.) installed with application software such as a browser, and the authentication client may also be a software client of the authentication server. The authentication server may be a server providing authentication services for a network management server (i.e., a network management server), and the application server may be a background management server capable of scanning the two-dimensional code application software. The authentication server and the application server in this embodiment do not belong to the same vendor.
As shown in fig. 1, an authentication method provided in an embodiment of the present invention is applied to an authentication server, and the authentication method may include the following steps:
and S101, receiving an account name and a password sent by the authentication client.
And S102, verifying the account name and the password, and generating the two-dimensional code after the verification is successful.
S103, the two-dimension code is sent to the authentication client side, so that the authentication client side displays the two-dimension code.
And S104, after the user terminal is determined to scan the two-dimensional code, sending access interface information to the user terminal so that the user terminal sends the scanned two-dimensional code information and the application account information to the application server according to the access interface information.
And S105, receiving the first application account identification fed back by the application server according to the two-dimensional code scanning information and the application account information.
S106, judging whether the identifier which is the same as the first application account identifier exists in the application account identifiers bound by the account names.
And S107, if the same identification exists, acquiring a dynamic key bound to the account name, generating a dynamic password according to the dynamic key, transmitting the dynamic password to the user side, and receiving and authenticating according to a first dynamic password input by the user and transmitted by the authentication client side.
As shown in fig. 2, an authentication method provided in an embodiment of the present invention is applied to authenticate a client, and the authentication method may include the following steps:
s201, sending the account name and the password input by the user side to an authentication server so that the authentication server can verify the account name and the password, and generating the two-dimensional code after the verification is successful.
S202, receiving the two-dimension code sent by the authentication server, displaying the two-dimension code, enabling the user side to scan the two-dimension code, and sending scanned two-dimension code information and application account information to the application server according to the access interface information sent by the authentication server.
S203, receiving a first dynamic password input by a user.
S204, the first dynamic password is sent to the authentication server, so that the authentication server performs authentication according to the first dynamic password.
The user can input an account name and a password on the authentication client, the account name and the password are transmitted to the authentication server by the authentication client for verification, if the verification is successful, a two-dimensional code is generated, the authentication server transmits the generated two-dimensional code to the authentication client, the two-dimensional code can be displayed on the authentication client, so that the user can scan the two-dimensional code by using the user terminal, the authentication server can transmit access interface information to the user terminal after determining that the user terminal scans the two-dimensional code, the user terminal transmits the scanned two-dimensional code information and application account information to the application server according to the access interface information, the application server can find a corresponding first application account identifier according to the application account information and transmit the first application account identifier to the authentication server according to the scanned two-dimensional code information, and when the identifier which is the same as the first application account identifier exists in the application account identifiers of which the account name is bound is determined by the authentication server, the dynamic password authentication method comprises the steps of obtaining a dynamic key, generating a dynamic password, sending the dynamic password to a user side, inputting the dynamic password on an authentication client side after the user obtains the dynamic password, and authenticating the input dynamic password by an authentication server. According to the scheme, by utilizing the binding relationship between the account name and the application account identification, when the first application account identification of the user side exists in the application account identification bound with the account name, the authentication server generates and issues the dynamic password, and an attacker needs to crack the account name and the password and also needs to crack the application account identification and the dynamic password bound with the account name during attack, so that the cracking difficulty is high, and the network security is improved.
For convenience of understanding, the authentication method provided by the embodiment of the present invention is described below in terms of an interactive process of a user side, an authentication client, an authentication server, and an application server, and as shown in fig. 3, the authentication method may include the following steps:
s301, the authentication client sends the account name and the password input by the user to the authentication server.
The authentication client can be an electronic device provided with application software such as a browser, network management software, third-party application and the like, and is a hardware electronic device for login authentication. The account name and password are used for logging in the authentication server.
S302, the authentication server verifies the account name and the password, and generates a two-dimensional code after verification is successful.
After the authentication server receives the account name and the password, the authentication server records the matching relationship of the account name and the password, so that the account name and the password can be verified, whether the preset matching relationship is met or not is verified, if the preset matching relationship is not met, a verification failure result can be directly fed back to the authentication client, and the authentication client prompts that the account name or the password of the user is wrong. If the verification result meets the matching relation, the verification is successful, and the corresponding two-dimensional code can be generated. Specifically, the two-dimensional code may be generated by randomly generating a 32-bit dynamic key after the verification is determined to be successful, where the dynamic key has a corresponding relationship with the account name, and generating a two-dimensional code containing information of the dynamic key according to the dynamic key.
S303, the authentication server sends the two-dimensional code to the authentication client.
S304, the authentication client displays the two-dimensional code.
S305, the user terminal scans the two-dimensional code.
After the two-dimension code is generated by the authentication server, the two-dimension code is sent to the authentication client side, and the two-dimension code is displayed by the authentication client side. After observing the two-dimensional code displayed on the authentication client, the user can scan the two-dimensional code by using the user terminal.
It should be noted that, in this embodiment, the user end may be a software client of a third-party application software that can scan the two-dimensional code, such as a wechat or a pay pal, and the user end may be installed on the authentication client, or certainly may be installed on another mobile device different from the authentication client.
S306, after the authentication server determines that the user side scans the two-dimensional code, the authentication server sends access interface information to the user side.
When the user terminal scans the two-dimensional code, the user terminal can access the page of the authentication server, and after the authentication server determines that the user terminal scans the two-dimensional code, namely, identifies an event that the user terminal accesses the page, the authentication server sends access interface information to the user terminal, wherein the access interface information comprises an access address of the application server.
And S307, the user side sends the two-dimensional code scanning information and the application account information to the application server according to the access interface information.
The access interface information includes an access address of the application server, for example, a web page address, and the user terminal can access the application server and send the scanned two-dimensional code information and the application account information to the application server. The information of the scanned two-dimensional code comprises an account name and a dynamic key, and the account name and the dynamic key can be hidden in the two-dimensional code, so that the account name and the dynamic key can be extracted by the user side after the user side scans the two-dimensional code and are sent to the application server, and the application server can identify which authentication server the information should be fed back to; the application account information may include information such as account name, country, sex, etc. of the application account.
And S308, the application server feeds back the first application account identifier to the authentication server according to the scanned two-dimensional code information and the application account information.
After receiving the application account information, the application server can search a unique application account identifier for the same application account, and can determine to which authentication server to feed back the searched first application account identifier based on the scanned two-dimensional code information.
S309, when determining that the identifier which is the same as the first application account identifier exists in the application account identifiers bound to the account names, the authentication server acquires and generates a dynamic password according to the dynamic key bound to the account names.
If the account name, the application account identifier and the corresponding dynamic key are bound in the authentication server, after the first application account identifier fed back by the application server is received, the authentication server needs to judge whether the identifier which is the same as the first application account identifier exists in the application account identifiers bound with the account name, if the identifier which is the same as the first application account identifier exists, a dynamic password is generated according to the bound dynamic key, and authentication is performed based on the dynamic password.
Optionally, if the application account identifier with the bound account name does not have an identifier identical to the first application account identifier, the authentication server may determine that the authentication has failed.
If the application account identifier with the bound account name is different from the first application account identifier, it indicates that the application account identifier for scanning the two-dimensional code is not the application account identifier bound with the account name before, and the user of the application account identifier may be an illegal user, and it may be determined that the authentication has failed.
If the user is authenticated by logging in for the first time, the authentication server does not record the binding relationship among the account name, the application account identifier and the dynamic key, so that the account name, the application account identifier and the dynamic key need to be bound when the account name is not bound with the application account identifier.
Thus, the authentication server may further perform the steps of:
a1, if the account name is not bound with the application account identifier, randomly generating a dynamic key, and binding the dynamic key, the account name and the first application account identifier;
a2, generating a dynamic password according to the dynamic key;
a3, sending the dynamic password to the user end;
and A4, receiving and authenticating according to the first dynamic password input by the user and sent by the authentication client.
If the account name is not bound with the application account identifier, a dynamic key can be randomly generated, and the dynamic key, the account name and the first application account identifier are bound.
In order to ensure the security of the dynamic key, the dynamic key is often set to have a large number of bits, for example, 32 bits, but for the convenience of the user, a dynamic password with a small number of bits needs to be presented to the user, so that the dynamic password can be generated according to the dynamic key. The mode of generating the dynamic password according to the dynamic key can adopt a two-factor authentication mode.
Optionally, the manner of generating the dynamic password according to the dynamic key may specifically be:
and generating a dynamic password at the current moment by utilizing a preset Hash encryption algorithm according to the dynamic key.
The predetermined hash encryption algorithm may be the HmacSHA1 (keyed hash) encryption algorithm.
The two-factor authentication is that a one-time password generated based on a plurality of variables such as time, a secret key and the like is adopted to replace a traditional static password, random parameters in each authentication are different, so that dynamic passwords generated in each time are different, and unpredictability of the dynamic passwords in each time is ensured due to the randomness of the parameters in each dynamic password generation, so that the safety of a network is ensured in the most basic password authentication link. The SecretKeySpec (implementation class of KeySpec interface) can be created and generated by using the dynamic password and the HmacSHA1 encryption algorithm, the key specification is built, and the dynamic password is generated.
S310, the authentication server sends the dynamic password to the user terminal.
After the authentication server generates the dynamic password, the dynamic password can be sent to the user side, only a small amount of network flow of the user side needs to be consumed, short message cost of the user does not need to be consumed, and cost of the user is saved.
S311, the authentication client sends the first dynamic password input by the user to the authentication server.
After receiving the dynamic password issued by the authentication server, the user can input the dynamic password received by the user on the authentication client, and the authentication client sends the first dynamic password input by the user to the authentication server for authentication.
And S312, the authentication server performs authentication according to the first dynamic password.
After receiving the first dynamic password, the authentication server may perform authentication according to the first dynamic password, as described above, the first dynamic password may be a dynamic password generated based on two-factor authentication, and optionally, the authentication server may specifically perform the following steps:
receiving an account name and a first dynamic password input by a user and sent by an authentication client;
acquiring a dynamic key bound to the account name according to the account name;
generating all dynamic passwords in a preset time period at the current moment by utilizing a preset Hash encryption algorithm according to the dynamic key;
judging whether a dynamic password consistent with the first dynamic password exists in all the generated dynamic passwords;
if so, determining that the authentication is successful;
and if not, determining that the authentication fails.
The authentication server may obtain a first dynamic password and an account name input by a user on the authentication client, obtain a dynamic password bound to the account name according to the account name, verify the first dynamic password by using the dynamic key and the current time, and set the valid time of the dynamic password, that is, generate all dynamic passwords within a preset time period of the current time by using the same hash encryption algorithm as that used for generating the dynamic password issued to the user according to the dynamic key, for example, if the current time is 13:00:00, all dynamic passwords between 12:59:30 and 13:00:00 can be generated, that is, the valid time of the dynamic password is set to 30 seconds, and some dynamic passwords in the dynamic passwords generated by the 30-second authentication server based on the same dynamic key are necessarily consistent. Whether a dynamic password consistent with the first dynamic password exists in all the generated dynamic passwords can be judged, if yes, the issued dynamic password is usable, and the authentication can be passed. If the password does not exist, the time interval from the dynamic password issuing to the first dynamic password input by the user is too long, and in order to prevent the illegal user from maliciously stealing the dynamic password, the authentication failure can be determined, and the user is prompted to obtain the dynamic password again.
In the embodiment, the authentication server checks the account name and the password sent by the authentication client, generates the two-dimensional code after the check is successful, and sends the two-dimensional code to the authentication client, the authentication client can display the two-dimensional code to the user, the authentication server sends the access interface information to the user after determining that the user scans the two-dimensional code, so that the user can send the scanned two-dimensional code information and the application account information to the application server according to the access interface information, the application server feeds back the first application account identifier to the authentication server according to the scanned two-dimensional code information and the application account information, if the application account identifier bound by the account name has the identifier same as the first application account identifier, the dynamic password is generated according to the dynamic key bound by the account name and sent to the user, and the first dynamic password input by the user sent by the authentication client is received and sent by the authentication client, and (6) performing authentication. By utilizing the binding relationship between the account name and the application account identifier, when the first application account identifier of the user side is the same as the application account identifier bound with the account name, the authentication server generates and issues the dynamic password, and an attacker needs to crack the account name and the password simultaneously and also needs to crack the application account identifier and the dynamic password bound with the account name during attack, so that the cracking difficulty is high, and the network security is improved.
Corresponding to the above method embodiment, an embodiment of the present invention provides an authentication apparatus, which is applied to an authentication server in an authentication system, and as shown in fig. 4, the authentication apparatus may include:
a receiving module 410, configured to receive an account name and a password sent by an authentication client;
the verification module 420 is configured to verify the account name and the password, and generate a two-dimensional code after the account name and the password are successfully verified;
a sending module 430, configured to send the two-dimensional code to the authentication client, so that the authentication client displays the two-dimensional code; after the user side is determined to scan the two-dimensional code, sending access interface information to the user side, so that the user side sends the scanned two-dimensional code information and application account information to an application server according to the access interface information;
the receiving module 410 is further configured to receive a first application account identifier fed back by the application server according to the scanned two-dimensional code information and the application account information;
the determining module 440 is configured to determine whether an identifier that is the same as the first application account identifier exists in the application account identifiers to which the account names are bound;
an obtaining module 450, configured to obtain the dynamic key to which the account name is bound if the determination result of the determining module indicates that the same identifier exists;
a generating module 460, configured to generate a dynamic password according to the dynamic key, and send the dynamic password to the user side;
and the authentication module 470 is configured to receive and perform authentication according to the first dynamic password input by the user and sent by the authentication client.
Optionally, the apparatus may further include:
and the binding module is used for randomly generating a dynamic key if the account name is determined not to be bound with the application account identifier, and binding the dynamic key, the account name and the first application account identifier.
Optionally, the generating module 460 may be specifically configured to:
generating a dynamic password at the current moment by utilizing a preset Hash encryption algorithm according to the dynamic key;
the authentication module 470 may specifically be configured to:
receiving an account name and a first dynamic password which are sent by the authentication client and input by a user;
acquiring a dynamic key bound to the account name according to the account name;
generating all dynamic passwords in a preset time period at the current moment by utilizing the preset Hash encryption algorithm according to the dynamic key;
judging whether a dynamic password consistent with the first dynamic password exists in all the generated dynamic passwords;
if so, determining that the authentication is successful;
and if not, determining that the authentication fails.
Optionally, the authentication module 470 may be further configured to:
and if the judgment result of the judgment module is that the same identification does not exist, determining that the authentication fails.
Corresponding to the above method embodiment, an embodiment of the present invention further provides an authentication apparatus, which is applied to an authentication client in an authentication system, and as shown in fig. 5, the authentication apparatus may include:
a sending module 510, configured to send an account name and a password input by a user to an authentication server, so that the authentication server verifies the account name and the password, and generates a two-dimensional code after verification is successful;
a receiving module 520, configured to receive the two-dimensional code sent by the authentication server, and display the two-dimensional code, so that the user side scans the two-dimensional code, and sends scanned two-dimensional code information and application account information to an application server according to access interface information sent by the authentication server; receiving a first dynamic password input by a user;
the sending module 510 is further configured to send the first dynamic password to the authentication server, so that the authentication server performs authentication according to the first dynamic password.
In the embodiment, the authentication server checks the account name and the password sent by the authentication client, generates the two-dimensional code after the check is successful, and sends the two-dimensional code to the authentication client, the authentication client can display the two-dimensional code to the user, the authentication server sends the access interface information to the user after determining that the user scans the two-dimensional code, so that the user can send the scanned two-dimensional code information and the application account information to the application server according to the access interface information, the application server feeds back the first application account identifier to the authentication server according to the scanned two-dimensional code information and the application account information, if the application account identifier bound by the account name has the identifier same as the first application account identifier, the dynamic password is generated according to the dynamic key bound by the account name and sent to the user, and the first dynamic password input by the user sent by the authentication client is received and sent by the authentication client, and (6) performing authentication. By utilizing the binding relationship between the account name and the application account identifier, when the first application account identifier of the user side is the same as the application account identifier bound with the account name, the authentication server generates and issues the dynamic password, and an attacker needs to crack the account name and the password simultaneously and also needs to crack the application account identifier and the dynamic password bound with the account name during attack, so that the cracking difficulty is high, and the network security is improved.
An embodiment of the present invention further provides an authentication server, as shown in fig. 6, including a processor 601 and a machine-readable storage medium 602, where the machine-readable storage medium 602 stores machine-executable instructions that can be executed by the processor 601, and the instructions are loaded and executed by the processor 601: the steps of the authentication method applied to the authentication server provided by the embodiment of the invention are realized.
An embodiment of the present invention further provides an authentication client, as shown in fig. 7, including a processor 701 and a machine-readable storage medium 702, where the machine-readable storage medium 702 stores machine-executable instructions that can be executed by the processor 701, and the instructions are loaded and executed by the processor 701: the steps of the authentication method applied to the authentication client provided by the embodiment of the invention are realized.
The machine-readable storage medium may include a RAM (Random Access Memory) and a NVM (Non-volatile Memory), such as at least one disk Memory. Alternatively, the machine-readable storage medium may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
Data transmission between the machine-readable storage medium 602 and the processor 601, and between the machine-readable storage medium 702 and the processor 701 may be performed by means of wired connection or wireless connection, and communication between the authentication server and the authentication client, and between the authentication server, the authentication client and other devices may be performed by means of wired communication interface or wireless communication interface. Fig. 6 and 7 are only examples of data transmission through the bus, and are not limited to specific connection modes.
In this embodiment, the processor 601 can implement, by reading the machine-executable instructions stored in the machine-readable storage medium 602, and the processor 701 can implement, by loading and executing the instructions, by reading the machine-executable instructions stored in the machine-readable storage medium 702: the authentication server checks the account name and the password sent by the authentication client, generates a two-dimensional code after the check is successful, and sends the two-dimensional code to the authentication client, the authentication client can display the two-dimensional code to a user, the authentication server sends access interface information to the user after determining that the user scans the two-dimensional code, so that the user can send scanned two-dimensional code information and application account information to the application server according to the access interface information, the application server feeds back a first application account identifier to the authentication server according to the scanned two-dimensional code information and the application account information, if the application account identifier bound by the account name has the identifier same as the first application account identifier, a dynamic password is generated according to a dynamic key bound by the account name, the dynamic password is sent to the user, and the first dynamic password input by the user sent by the authentication client is received and sent by the authentication client, and (6) performing authentication. By utilizing the binding relationship between the account name and the application account identifier, when the first application account identifier of the user side is the same as the application account identifier bound with the account name, the authentication server generates and issues the dynamic password, and an attacker needs to crack the account name and the password simultaneously and also needs to crack the application account identifier and the dynamic password bound with the account name during attack, so that the cracking difficulty is high, and the network security is improved.
In addition, the embodiment of the present invention further provides a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions, and the instructions are loaded and executed by a processor to implement the steps of the authentication method applied to the authentication server provided by the embodiment of the present invention.
The embodiment of the present invention further provides a machine-readable storage medium, where the machine-readable storage medium stores therein machine-executable instructions, and the instructions are loaded and executed by a processor to implement the steps of the authentication method applied to the authentication client provided by the embodiment of the present invention.
In this embodiment, the machine-readable storage medium stores machine-executable instructions for executing the authentication method applied to the authentication server and the authentication client provided in the embodiment of the present invention when the processor executes the instructions, so that the following can be implemented: the authentication server checks the account name and the password sent by the authentication client, generates a two-dimensional code after the check is successful, and sends the two-dimensional code to the authentication client, the authentication client can display the two-dimensional code to a user, the authentication server sends access interface information to the user after determining that the user scans the two-dimensional code, so that the user can send scanned two-dimensional code information and application account information to the application server according to the access interface information, the application server feeds back a first application account identifier to the authentication server according to the scanned two-dimensional code information and the application account information, if the application account identifier bound by the account name has the identifier same as the first application account identifier, a dynamic password is generated according to a dynamic key bound by the account name, the dynamic password is sent to the user, and the first dynamic password input by the user sent by the authentication client is received and sent by the authentication client, and (6) performing authentication. By utilizing the binding relationship between the account name and the application account identifier, when the first application account identifier of the user side is the same as the application account identifier bound with the account name, the authentication server generates and issues the dynamic password, and an attacker needs to crack the account name and the password simultaneously and also needs to crack the application account identifier and the dynamic password bound with the account name during attack, so that the cracking difficulty is high, and the network security is improved.
For the embodiments of the authentication server, the authentication client and the machine-readable storage medium, since the contents of the related methods are substantially similar to those of the foregoing embodiments of the methods, the description is relatively simple, and the related points can be referred to the partial description of the embodiments of the methods.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the embodiments of the apparatus, the authentication server, the authentication client, and the machine-readable storage medium, since they are substantially similar to the embodiments of the method, the description is simple, and the relevant points can be referred to the partial description of the embodiments of the method.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (11)

1. An authentication method, applied to an authentication server in an authentication system, the method comprising:
receiving an account name and a password sent by an authentication client;
verifying the account name and the password, and generating a two-dimensional code after the account name and the password are successfully verified;
sending the two-dimension code to the authentication client side so that the authentication client side can display the two-dimension code;
after the user side is determined to scan the two-dimensional code, sending access interface information to the user side, so that the user side sends the scanned two-dimensional code information and application account information to an application server according to the access interface information;
receiving a first application account identifier fed back by the application server according to the scanned two-dimensional code information and the application account information;
judging whether an identifier which is the same as the first application account identifier exists in the application account identifiers with the bound account names;
if the same identification exists, acquiring a dynamic key bound to the account name; generating a dynamic password according to the dynamic key, and sending the dynamic password to the user side; and receiving and authenticating according to a first dynamic password input by the user and sent by the authentication client.
2. The method of claim 1, further comprising:
if the account name is determined not to be bound with the application account identifier, randomly generating a dynamic key, and binding the dynamic key, the account name and the first application account identifier;
generating a dynamic password according to the dynamic key;
sending the dynamic password to the user side;
and receiving and authenticating according to a first dynamic password input by the user and sent by the authentication client.
3. The method according to claim 1 or 2, wherein the generating a dynamic password from the dynamic key comprises:
generating a dynamic password at the current moment by utilizing a preset Hash encryption algorithm according to the dynamic key;
the receiving and authenticating according to the first dynamic password input by the user and sent by the authentication client comprises the following steps:
receiving an account name and a first dynamic password which are sent by the authentication client and input by a user;
acquiring a dynamic key bound to the account name according to the account name;
generating all dynamic passwords in a preset time period at the current moment by utilizing the preset Hash encryption algorithm according to the dynamic key;
judging whether a dynamic password consistent with the first dynamic password exists in all the generated dynamic passwords;
if so, determining that the authentication is successful;
and if not, determining that the authentication fails.
4. The method according to claim 1, wherein after the determining whether the identifier identical to the first application account identifier exists in the application account identifiers to which the account names are bound, the method further comprises:
and if the same identification does not exist, determining that the authentication fails.
5. An authentication method applied to an authentication client in an authentication system, the method comprising:
sending an account name and a password input by a user to an authentication server so that the authentication server verifies the account name and the password, and generating a two-dimensional code after the verification is successful;
receiving the two-dimension code sent by the authentication server, displaying the two-dimension code, enabling a user end to scan the two-dimension code, and sending scanned two-dimension code information and application account information to an application server according to access interface information sent by the authentication server;
receiving a first dynamic password input by a user;
and sending the first dynamic password to the authentication server so that the authentication server performs authentication according to the first dynamic password.
6. An authentication apparatus, applied to an authentication server in an authentication system, the apparatus comprising:
the receiving module is used for receiving the account name and the password sent by the authentication client;
the verification module is used for verifying the account name and the password and generating a two-dimensional code after the account name and the password are verified successfully;
the sending module is used for sending the two-dimension code to the authentication client so that the authentication client can display the two-dimension code; after the user side is determined to scan the two-dimensional code, sending access interface information to the user side, so that the user side sends the scanned two-dimensional code information and application account information to an application server according to the access interface information;
the receiving module is further configured to receive a first application account identifier fed back by the application server according to the scanned two-dimensional code information and the application account information;
the judging module is used for judging whether an identifier which is the same as the first application account identifier exists in the application account identifiers bound by the account names;
the obtaining module is used for obtaining the dynamic key bound to the account name if the judgment result of the judging module is that the same identification exists;
the generating module is used for generating a dynamic password according to the dynamic key and sending the dynamic password to the user side;
and the authentication module is used for receiving and authenticating according to the first dynamic password input by the user and sent by the authentication client.
7. The apparatus of claim 6, further comprising:
and the binding module is used for randomly generating a dynamic key if the account name is determined not to be bound with the application account identifier, and binding the dynamic key, the account name and the first application account identifier.
8. The apparatus according to claim 6 or 7, wherein the generating module is specifically configured to:
generating a dynamic password at the current moment by utilizing a preset Hash encryption algorithm according to the dynamic key;
the authentication module is specifically configured to:
receiving an account name and a first dynamic password which are sent by the authentication client and input by a user;
acquiring a dynamic key bound to the account name according to the account name;
generating all dynamic passwords in a preset time period at the current moment by utilizing the preset Hash encryption algorithm according to the dynamic key;
judging whether a dynamic password consistent with the first dynamic password exists in all the generated dynamic passwords;
if so, determining that the authentication is successful;
and if not, determining that the authentication fails.
9. The apparatus of claim 6, wherein the authentication module is further configured to:
and if the judgment result of the judgment module is that the same identification does not exist, determining that the authentication fails.
10. An authentication apparatus, applied to an authentication client in an authentication system, the apparatus comprising:
the sending module is used for sending the account name and the password input by the user to an authentication server so that the authentication server can verify the account name and the password, and after the verification is successful, a two-dimensional code is generated;
the receiving module is used for receiving the two-dimensional code sent by the authentication server, displaying the two-dimensional code, enabling the user side to scan the two-dimensional code, and sending scanned two-dimensional code information and application account information to the application server according to the access interface information sent by the authentication server; receiving a first dynamic password input by a user;
the sending module is further configured to send the first dynamic password to the authentication server, so that the authentication server performs authentication according to the first dynamic password.
11. A machine-readable storage medium having stored thereon machine-executable instructions, which are loaded and executed by a processor, to implement the method of any one of claims 1-4.
CN201811444791.1A 2018-11-29 2018-11-29 Authentication method, authentication device and machine-readable storage medium Active CN109583181B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811444791.1A CN109583181B (en) 2018-11-29 2018-11-29 Authentication method, authentication device and machine-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811444791.1A CN109583181B (en) 2018-11-29 2018-11-29 Authentication method, authentication device and machine-readable storage medium

Publications (2)

Publication Number Publication Date
CN109583181A CN109583181A (en) 2019-04-05
CN109583181B true CN109583181B (en) 2020-07-03

Family

ID=65925645

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811444791.1A Active CN109583181B (en) 2018-11-29 2018-11-29 Authentication method, authentication device and machine-readable storage medium

Country Status (1)

Country Link
CN (1) CN109583181B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110611719B (en) * 2019-10-16 2022-04-19 四川虹美智能科技有限公司 Message pushing method, server and system
CN111104629B (en) * 2019-11-26 2023-04-11 广州羊城通有限公司 Verification method and device of dynamic two-dimensional code
CN111522541B (en) * 2020-01-17 2023-08-01 中国银联股份有限公司 Graphical code generation method and device and computer readable storage medium
CN112351424B (en) * 2020-07-28 2024-03-12 深圳Tcl新技术有限公司 Wireless networking management method, system, device and computer readable storage medium
CN111935138B (en) * 2020-08-07 2022-03-18 珠海海鹦安全科技有限公司 Protection method and device for secure login and electronic equipment
CN112261051B (en) * 2020-10-23 2023-06-06 北京奇艺世纪科技有限公司 User registration method, device and system
CN112702171B (en) * 2020-12-23 2021-10-15 北京航空航天大学 Distributed identity authentication method facing edge gateway
CN113591069B (en) * 2021-08-04 2023-11-07 中国农业银行股份有限公司山东省分行 Identity authentication method, equipment and medium based on intelligent callback machine
CN114257455A (en) * 2021-12-28 2022-03-29 北京爱学习博乐教育科技有限公司 Method and system for connecting enterprise VPN by using dynamic password
CN115131900A (en) * 2022-06-27 2022-09-30 中国银行股份有限公司 Door opening method and device by using door opening software
CN115862192B (en) * 2022-11-07 2023-11-03 北京深盾科技股份有限公司 Control method, control system, electronic device and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651675A (en) * 2009-08-27 2010-02-17 北京飞天诚信科技有限公司 Method and system for enhancing security of network transactions
CN105138942A (en) * 2015-08-26 2015-12-09 小米科技有限责任公司 Two-dimensional code display method and device
CN107454040A (en) * 2016-05-30 2017-12-08 腾讯科技(深圳)有限公司 The login method and device of application

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10152582B2 (en) * 2014-03-24 2018-12-11 Jose Bolanos System and method for securing, and providing secured access to encrypted global identities embedded in a QR code

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101651675A (en) * 2009-08-27 2010-02-17 北京飞天诚信科技有限公司 Method and system for enhancing security of network transactions
CN105138942A (en) * 2015-08-26 2015-12-09 小米科技有限责任公司 Two-dimensional code display method and device
CN107454040A (en) * 2016-05-30 2017-12-08 腾讯科技(深圳)有限公司 The login method and device of application

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于手机令牌的移动应用双向身份认证方法研究;郑兆华;《电学科学》;20141231;第87-99页 *

Also Published As

Publication number Publication date
CN109583181A (en) 2019-04-05

Similar Documents

Publication Publication Date Title
CN109583181B (en) Authentication method, authentication device and machine-readable storage medium
US9887999B2 (en) Login method and apparatus
CN106657152B (en) Authentication method, server and access control device
CN106779716B (en) Authentication method, device and system based on block chain account address
TW201914256A (en) Identity verification method and device, electronic equipment
CN105847245B (en) Electronic mailbox login authentication method and device
US8474014B2 (en) Methods for the secure use of one-time passwords
CN109040070B (en) File transmission method, device and computer readable storage medium
KR101214839B1 (en) Authentication method and authentication system
US9124571B1 (en) Network authentication method for secure user identity verification
WO2015034384A1 (en) Apparatus and method for authenticating a user via multiple user devices
CN111460423A (en) Two-dimensional code scanning login method and device
CN101860540A (en) Method and device for identifying legality of website service
JP2010097512A (en) Application download system and method of portable terminal
CN111800276B (en) Service processing method and device
CN113641973A (en) Identity authentication method, system and medium
CN106714158B (en) WiFi access method and device
WO2007038283A2 (en) Web page approval and authentication application incorporating multi-factor user authentication component
KR100750214B1 (en) Log-in Method Using Certificate
EP2916509B1 (en) Network authentication method for secure user identity verification
CN115086090A (en) Network login authentication method and device based on UKey
CN111740938B (en) Information processing method and device, client and server
CN114640460B (en) User login method, device, equipment and medium in application program
JP7403430B2 (en) Authentication device, authentication method and authentication program
KR20120088236A (en) User authentification system for contents service and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant